Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Protect Yourself from Adobe Acrobat and Reader Vulnerabilities

On 13-Oct-09 Adobe released a major security update for multiple versions of its Adobe Acrobat and Adobe Reader products on Windows, Macs, and Linux platforms for flaws that could allow an attacker to take over vulnerable systems.

Due to Adobe's atrocious security record, I recommend that all Mac users not only immediately patch Adobe Reader and Acrobat, but make sure they set Apple's Preview as their default PDF reader. Unless you need to access PDF files with Adobe's digital rights management protection, or commonly encounter PDF files that it can't display properly, Preview is more than sufficient to meet your day-to-day PDF viewing needs.

Adobe Acrobat, a commercial product used to create PDF files, is harder to replace, but it's also far less commonly needed. Many Mac programs can generate PDF files directly, and Mac OS X has long had a Save as PDF command in the Print dialog, which enables you to turn anything you can print into a PDF. This likely won't meet the needs of marketing professionals, designers, or ebook publishers, but is sufficient for the average home user or office worker.

The latest vulnerabilities affect Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and Unix, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities allow an attacker to take over your computer even if all you do is view a maliciously crafted PDF file. For Windows users, this vulnerability was being exploited in the wild before the patch was released (what we in the security field call a "zero day vulnerability").

We have no evidence that Mac users are currently being exploited, but we also don't know of any technical obstacle preventing attackers from targeting Macs. Even on Windows, an attacker has to get you to open a malicious file, and while this attack is in the wild, it's certainly not widespread. In other words, your risk as a Mac user right now is quite low, but it's still prudent to patch.

The vulnerabilities are fixed in Adobe Reader 9.2, 8.1.7, and 7.1.4, and in Adobe Acrobat Pro 9.2, 8.1.7, and 7.1.4. Though Adobe has updater programs, they fail sufficiently frequently that your best bet may be a manual download and update. Note that you will likely have to download and install each interim update in turn; the Acrobat 8.1.7 update, for instance, can install only on 8.1.6, not 8.1.5 or earlier.

This isn't the first time the wings have fallen off the Adobe security plane this year. According to a recent report by the SANS Institute, this is at least the third time in the past 7 months that Acrobat and Reader were affected by critical zero day vulnerabilities. While the exploits have targeted Windows users, the vulnerabilities were potentially equally exploitable on Macs.

According to Adobe's security page, the company has released nine critical updates, some patching multiple vulnerabilities, for Acrobat and Reader 9.x since February 2009. Adobe has struggled so much with patching that they have switched to a new quarterly patch schedule to help IT administrators keep their systems up to date with the latest security fixes.

With such a poor security record, and considering the PDF support built into Mac OS X for reading and creating documents, it makes little sense to use Reader as your default PDF viewer on a Mac, and Acrobat users should ask themselves if they need the program's extra features.

People who have switched over from Windows, in particular, often install and use Adobe Reader and Acrobat without realizing the native Mac software might already meet their needs. For example, a family member of mine who switched from Windows immediately installed Reader out of habit, not realizing she didn't need it to view most documents (and she has never found a PDF she couldn't view with Preview).

There are exceptions. Preview can't open protected PDF files, and it may not render all PDF documents properly. The PDF file format has become extremely complex over the years, including support for JavaScript, embedded Flash content, and other advanced options. Acrobat includes far more extensive controls and content capabilities than simply printing to PDF, especially if you need to manage image resolutions and formats. Of course, this complexity in Reader and Acrobat is where a lot of these security problems come from in the first place.

Adobe does recognize the risk these security issues create for their business. Earlier this year they launched a major security initiative to improve the quality of their code and their response process. This is a commendable move, but due to the complexity of software development these initiatives usually take years to manifest fully in released products.

Since there is no risk unless you open a malicious file with Reader or Acrobat, one of the best steps you can take to limit the chances of future issues (aside from staying up to date with patches) is to set Preview as your default reader. Not that Preview is perfect, but we have yet to see it face the same number of zero day vulnerabilities or exploits.

Changing your default PDF viewer is easy. Simply Control-click (or right-click) any PDF file and select Get Info. In the Open With section of the Get Info window, choose Preview from the pop-up menu, and click the Change All button.

Your risk of being exploited is so low as to be unmeasurable, but since Adobe products (Reader, Acrobat, and Flash) are currently one of the main sources of cross-platform vulnerabilities, it makes sense to keep them up to date, and use them only when you really need them.


READERS LIKE YOU! Support TidBITS by becoming a member today!
Check out the perks at <>
Special thanks to David Wansbrough, Trevor Lawrence, John Vittal, and
William Ching for their generous support!

Comments about Protect Yourself from Adobe Acrobat and Reader Vulnerabilities
(Comments are closed.)

Ari Blackthorne  2009-10-16 13:08
Personally, I use Preview on my Mac and I simply don't view PDF files on my Windows machine. If I receive a PDF that requires Adobe anything, I toss it out and let the author know: "you are abusing me because nothing you can give me is important enough to download and install software." eBooks: I check before purchase - and refuse to purchase anything that only offers PDF formats.

Flash is abuse: it's the worst "video codec" among video codecs and the only other prevailent use is web page advertising. Because the developers are producers are lazy.

Everything Adobe has become boated, unstable and 'hack-prone". It was a genuinely sad day when Adobe purchased Macromedia.

I mean it when I say I am Microsoft-free (except Windows XP on my PC) and I am working very hard to make myself Adobe-free.

Like Microsoft, Adobe has gone lazy and their software applications have all turned into fat, sluggish, buggy bloatware that isn't great. Good yes, but not great
Brandon Ayon  2009-10-16 21:28
Hmm thats interesting just last night my computer logged itself out twice and then this morning i saw the icon up in the menu bar that tells me when someone is remotely accessing my computer. It was at the same time I opened up a pdf document in adobe so i believe i was one of the few that got attacked, however, Im not sure about me opening up a malicious file b/c the file I opened was a math e-book sent to me from one of my teachers. So either I did get attacked or my computer had a glitch and showed me that icon by mistake
Jeremy Reichman  2009-10-19 05:59
Do we have any indiciation that Apple's PDF Kit (an OS library) itself is not vulnerable to the same or similar exploits?

It doesn't seem wise to jump to the conclusion that Apple or any other vendor that supports PDF is immune from a particular flaw until it has been proven. Different software may be using similar underlying libraries (such as for image handling), may reimplement a flaw in a different way (to keep with a spec), or have a different flaw that's as yet undetected.
I highly recommend using NoScript in Firefox to prevent accidentally loading PDFs (along with the excellent Firefox PDF Plugin for Mac OS X to render them in the browser, when you do in fact want to open them, which uses the native PDF Kit).

@Jeremy Reichman: This is a very good point. Though I think we can be fairly certain there will be "different flaws" - I doubt that Apple's engineers have perfected this or any other library to be totally un-exploitable.
Patrick Skelly  2009-10-19 19:36
I just sent the following message to Adobe:
I have been advised that I need to upgrade to Adobe Acrobat 8 Pro 8.1.7 for security reasons.
I had previously upgraded - painfully, step by step, to 8.1.5. I am trying - as you now direct - to upgrade first to 8.1.6 and then to 8.1.7, but I receive the following message:
The patch has failed because the application has been modified since it was originally installed (for example, plug-ins may have been disabled).
Please go to the Adobe support website for more information regarding how to re-enable disabled components prior to installing the patch. Or, you can uninstall and reinstall the application, and then reinstall the patch.
Adobe Acrobat 8.1.6 (CPSID_49167) failed to install.
I am not aware of any disabled components, nor of any reason I might have had to disable or modify Acrobat 8 Pro, nor do I know if I have any means of knowing where or what they were.
I originally installed 8.0.0 in 2006.
Adam Engst  An apple icon for a TidBITS Staffer 2009-10-20 07:22
Updating Adobe Acrobat is a royal pain in the tookus. I find myself having to download the individual updaters each time, and I have to make sure to rename Acrobat back to its original (I always put the version number in the name because I use 7, 8, and 9 and the version number lets me train LaunchBar to get the right version easily).

You may have to reinstall Acrobat entirely from scratch and apply the updates manually again, not that I wish such an onerous task on anyone.
Chris Hibbert  2009-10-19 20:15
I often open password-protected PDF files with Preview. Is there some other kind of protected PDF you can't open with Preview?
Joe Steele  2009-10-21 16:33
Yes. There are other types which are supported by Reader but not Preview: Certificate Security and Adobe Policy Server are two examples. There are also non-Adobe security mechanisms for PDF which require specific plug-ins to Reader and only work with Reader.